Progress Software disclosed and patched serious vulnerabilities in Kemp LoadMaster that could let attackers compromise load balancers deployed at the core of enterprise networks. The most prominent issue, tracked as CVE-2026-8037, was described in public advisories as affecting API methods including dodelapikey and dolistapikeys, where improper handling of memory could allow remote code execution after authentication, in some cases with root or administrator-level impact. Separate reporting also characterized CVE-2026-8037 as a critical API command-injection issue that could permit arbitrary command execution and full administrative control of the appliance.
Progress released updates to address the flaws, including patched firmware versions v7.2.63.2 and v7.2.54.18, and said the fixes also apply to ECS Connection Manager and Connection Manager for ObjectScale. A second vulnerability, CVE-2026-33691, affects the OWASP CRS handling of multipart requests by failing to normalize whitespace in filenames, creating a path to bypass firewall extension checks. Security researchers credited in the disclosures include Syed Ibrahim Ahmed and Jacky Yang of TrendAI Research, and defenders were urged to patch quickly because compromise of internet-facing load balancers could provide a foothold for deeper intrusion into enterprise environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
eSentire's Threat Response Unit reported active exploitation attempts against Progress Kemp LoadMaster vulnerability CVE-2026-8037 beginning on June 29, 2026. The attempts observed were unsuccessful and did not lead to post-compromise activity.
watchTowr Labs published a detailed exploit analysis and working proof of concept for the pre-auth root command injection flaw CVE-2026-8037 in Progress Kemp LoadMaster. The publication provided public exploitation details for the edge-exposed vulnerability after Progress and ZDI had already disclosed and patched it.
Progress disclosed and fixed two serious vulnerabilities in Kemp LoadMaster, including CVE-2026-8037 and CVE-2026-33691, and urged customers to patch immediately. The company said patched firmware versions v7.2.63.2 and v7.2.54.18 address the issues, which also affect ECS Connection Manager and Connection Manager for ObjectScale.
Zero Day Initiative publicly released advisories ZDI-26-340 and ZDI-26-341 on June 9, 2026 for remote code execution vulnerabilities affecting Progress Software Kemp LoadMaster. The advisories describe flaws in the dodelapikey and dolistapikeys methods and note that Progress had released updates to address them.
Zero Day Initiative publicly disclosed ZDI-26-338 / CVE-2026-24162 on June 9, 2026, describing a remote code execution flaw in NVIDIA Transformers4Rec's Model.load function. Exploitation requires user interaction such as opening a malicious file or visiting a malicious page.
Progress Software released updates to remediate vulnerabilities affecting Kemp LoadMaster, including issues later described in ZDI-26-340 and ZDI-26-341. Separate reporting says patched firmware versions include v7.2.63.2 and v7.2.54.18, with fixes also applying to ECS Connection Manager and Connection Manager for ObjectScale.
According to ZDI's coordinated disclosure timeline, Progress Software was notified on April 15, 2026 about a remotely exploitable vulnerability in Kemp LoadMaster later tracked under ZDI-26-341 and CVE-2026-8037. The issue was credited to Jacky Yang and Syed Ibrahim Ahmed of TrendAI Research.
NVIDIA issued an update to fix CVE-2026-24162, a deserialization of untrusted data vulnerability in the Transformers4Rec Model.load function that can lead to arbitrary code execution. The issue was credited to Javohir Abduxalilov.
Microsoft disclosed CVE-2026-26142, a critical deserialization-based remote code execution vulnerability in Nuance PowerScribe, and stated that an official fix is available. The company said the issue had not been publicly disclosed or exploited in the wild at the time of disclosure and credited Jan Rodríguez and Víctor A. Morales of GM Sectec, Corp.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
socradar.io
Open sourcescworld.com
Open sourcethehackernews.com
Open sourcecybersecuritynews.com
Open sourcezerodayinitiative.com
Open sourcezerodayinitiative.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.